Methods and apparatus for scalable secure remote desktop access

ABSTRACT

The invention provides scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combing aspects of physical access limitation measures with traditional computer access limitation measures. The methods and systems utilize an enrollment administration system for specifying enrollment rules, an enrollment system configured to communicate with the enrollment administration system to permit enrolling a first networked resource if permitted by specified enrollment rules, and a remote access system for granting a user remote access to the first networked resource if the user successfully enrolled the first networked resource.

TECHNICAL FIELD

The present invention generally relates to computer networking, and morespecifically to a secure method of granting remote access to computerdesktops.

BACKGROUND

Many corporate computer users regularly rely on the applications andfiles stored on the hard drive of their personal office computers fortheir computing needs. However, most of these computers lackportability, or if portable, can not provide suitable access toresources available to their personal office computers.

In order to provide computer users access to the resources of theirpersonal office computers from remote devices, such as their homecomputers or laptops, programmers have developed several technologiesfor remotely accessing the resources of a computer, called a host, froma second, remote device, called a client. Using such technologies, aremote user's client display displays what might be seen on the displayof the host computer were the user physically viewing the host display.In addition, remote access software allows remote users to interact withthe host computer with the client's input devices, such as a keyboard ormouse, as if the user was using the host's input device. Any computationinitiated by the user's input is carried out by the host computer andthe results are displayed on the client display as if it were the hostdisplay.

While these technologies have been successful and useful on a limitedscale, they can present administrative burdens in large scale,enterprise systems. Large enterprise systems require secure regulatedaccess for large numbers of users to large numbers of networkedresources. Some systems allow specification of broad access rules thatapply to groups of users or resources, but do not typically place accesslimitations on any individual or individual resource. Some systems haveindividual permission-based methods that typically require a systemadministrator to specify access limitations for each and every user andresource. The former methods often provide insufficient security sincethe access rules tend to be overly broad, and the latter method commonlyrequires an unusually high level of administrative overhead in largesystems.

SUMMARY OF THE INVENTION

One object of the invention is to provide scalable, secure, and easilyadministerable methods and systems for providing remote access tonetworked resources by combining aspects of physical access limitationmeasures with traditional computer access limitation measures.

In one aspect, the invention relates to a method of administering acomputer network. The method includes providing an enrollmentadministration system for specifying enrollment rules, and an enrollmentsystem configured to communicate with the enrollment administrationsystem to permit enrolling a first networked resource if permitted bythe specified enrollment rules. The method also includes providing aremote access system for granting a user remote access to the firstnetworked resource if the user successfully enrolled the first networkedresource. In one embodiment the networked resource is a computer.

In one embodiment, the remote access system is provided for installationon the first networked resource. In another embodiment, the remoteaccess system is provided for installation on a shared network resource.In this embodiment, the remote access system grants remote access to thefirst networked resource and a second networked resource subject to thespecified enrollment rules and the user's enrollment of the first andsecond networked resources. In another embodiment, the remote accesssystem denies remote access to a user that has not enrolled the firstnetworked resource. In a further embodiment, the remote access includesremote access to the desktop of the first networked resource.

In another embodiment, the enrollment system disallows enrolling thefirst network resource from a remote console. In another embodiment, theenrollment system requires enrolling the first networked resource from aconsole that is physically attached to the first networked resource. Instill another embodiment, the enrollment system is a networkapplication. In one embodiment, the method further includes providing alocator system for determining the location of a user attempting toenroll the first networked resource. In a further embodiment, theenrolling of the first networked resource is further subject to thedetermined location.

In another aspect, the invention relates to a computer system thatincludes an enrollment administration system for specifying enrollmentrules. The computer system also includes a first networked resource thatis configured to communicate with the enrollment administration systemand a remote device configured to communicate with the first networkedresource via a communications channel, such as a network. In addition,the computer system further includes an enrollment system for enrollingthe first networked resource if permitted by the specified enrollmentrules and a remote access system for granting a user of the remotedevice remote access to the first networked resource if the firstnetworked resource was successfully enrolled. In one embodiment, thecomputer system also includes an enrollment database that stores a listof networked resources that a user has enrolled.

In still another aspect, the invention relates to a method of networkadministration that includes specifying an enrollment rule and enrollinga first networked resource if permitted by the specified enrollmentrule. The method also includes granting a user remote access to thefirst networked resource from a remote device if the user had previouslysuccessfully enrolled the first networked resource, and otherwisedenying a user access to the first networked resource from the remotedevice. In one embodiment, specifying an enrollment rule includesdefining a plurality of groups of users, defining a plurality of groupsof networked resources, and specifying a group of networked resourcesthat a group of users is permitted to enroll.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing discussion will be understood more readily from thefollowing detailed description of the invention, when taken inconjunction with the accompanying drawings:

FIG. 1 is a schematic depiction of remote desktop access according to anillustrative embodiment of the invention.

FIG. 2 is a schematic diagram depicting a computer network according toan illustrative embodiment of the invention.

FIG. 3A is a diagram of a set of computer network resource groupingsaccording to an illustrative embodiment of the invention.

FIG. 3B is a diagram of a set of computer network user groupingsaccording to an illustrative embodiment of the invention.

FIG. 4 is a table depicting example enrollment rules according to anillustrative embodiment of the invention.

FIG. 5 is a flow chart of a method for enrolling a networked resourceaccording to an illustrative embodiment of the invention.

FIG. 6 is a enrollment database depicting an example set of enrollmentsaccording to an illustrative embodiment of the invention; and

FIG. 7 is a flow chart of a method of granting remote access to acomputer according to an illustrative embodiment of the invention.

DETAILED DESCRIPTION

In the physical world, one protects resources by implementing physicalaccess limitations. File cabinets are locked, vaults are sealed, andoffice doors are closed. In any of these cases, having the key, alone,is not sufficient to access the resources within the cabinet, vault, oroffice. One must both have the key and simultaneously be physicallypresent at the cabinet, vault, or office. In a traditional networkedcomputer environment, however, improvements in access restrictions havefocused on creating more complex locks and keys (e.g., user-password/PINsystems, biometric identity verification, voice verification, etc.) andhave largely ignored the security benefits that physical accesslimitations can provide. That is, for many computer systems, if a userhas the appropriate “key,” that user can access a networked resourcewithout ever needing to have actually been physically present near theresource. One object of the present invention is to provide scalable,secure, and easily administerable methods and systems for providingremote access to networked resources by combining aspects of physicalaccess limitation measures with traditional computer access limitationmeasures. Such a combination combines the low-overhead advantages ofrules-based access limitations with the individualized securityadvantages of individual permission-based access limitations, withoutincurring the associated additional administrative costs.

Referring to FIG. 1, a first networked resource 100 is physicallylocated in a particular location, for example, in an office. Networkedresources can include, for example, desktop computers, workstations,laptops, handheld computers, mobile phones, personal digital assistants,computing devices that are network capable, printers, storage devices,peripherals, etc., and any data, applications, or capabilities availableon or from the resources. The first networked resource 100 may haveaccess to other networked resources 104 via network 106. A remote device102 is in communication with the first networked resource 100 via acommunication link 108, such as a computer network. The remote device102 may be a computer such as a workstation, desktop computer, laptop,handheld computer, or any other form of computing or telecommunicationsdevice that is capable of communication and that has sufficientprocessor power and memory capacity to perform the operations describedherein (e.g., a mobile phone or personal digital assistant). Thecommunication link 108 can be implemented with any of a variety ofsuitable technologies, for example, over standard telephone lines, LANor WAN links (using, e.g., 802.11, T1, T3, 56 kb, or X.25 protocols),broadband connections (using, e.g., ISDN, Frame Relay, or ATMprotocols), and wireless connections, or some combination of any or allof the above.

In an illustrative embodiment of the invention, the first networkedresource 100 is a computer that serves as a host, and the remote device102 serves as a client. A user of the remote device 102 is grantedaccess to the first networked resource 100 such that the user has accessto the desktop of the first networked resource 100. That is, instead ofonly having access to the services of the first networked resource 100,the display of the remote device 102 displays what a user might see onthe console monitor of the first networked resource 100. Likewise, theuser can provide input (e.g., keyboard and mouse input) to the firstnetworked resource 100 from the remote device 102 that is interpreted bythe first networked resource 100 as if such input were made from aconsole that is physically attached to first networked resource.

In one such embodiment, remote access is accomplished using MetaFramePresentation Serverg, manufactured by Citrix Systems, Inc. of Ft.Lauderdale, Fla., on the first networked resource 100 in conjunctionwith the use of Citrix's Independent Computing Architecture® (ICA)clients on the remote device 102.

In an alternative embodiment, remote access is provided by RemoteDesktop software. Remote Desktop is a feature included in the WindowsXP® Professional operating system, manufactured by Microsoft Corporationof Redmond, Wash., that allows a host computer, such as the firstnetworked resource 100, to provide access to that host's desktop toclients, such as the remote device 102, that have the Remote Desktopclient software installed. Remote Desktop client software is included inthe Windows XP® operating system and is available for computers runningthe Windows 95®, Windows 98®, Windows Me®, Windows NT® 4.0, or Windows2000® operating systems. Remote Desktop uses the Remote DesktopProtocol, also known as RDP, to communicate between the host and theclient.

It is to be understood that embodiments of the invention may beimplemented using other suitable software and communications protocols.For example, the host could operate a web server that a client could logon to using standard internet protocols such as HTTP. Other systems forremote desktop access include pcAnywhere®, manufactured by SymantecCorporation of Cupertino, Calif.

In addition to, or instead of granting remote desktop access, otherembodiments of the invention provide more limited remote access tonetworked resources. For example, in one embodiment, the inventionprovides remote access to files stored on a computer. In anotherembodiment, the invention provides remote access to applications storedon a resource, but not to any data files stored thereon. In anotherembodiment, the invention provides remote access to a printer, display,or other output device.

In another embodiment, the invention provides only limited remotedesktop access. For example, a user might be able to access filesphysically stored on the computer whose desktop he or she is accessing,but access to other networked resources, such as file server, throughvia desktop is limited.

Referring now to FIG. 2, an illustrative computer system 200 includes anumber of networked resources, shown in the figure as exemplarycomputers TermA 202, TermB 204, TermC 206, CAD A 208, CAD B 210, CAD C212, AdminA 214, AdminB 216, AdminC 218- and referred to collectively as“the computers.” The computers 202, 204, 206, 208, 210, 212, 214, 216,and 218 may be geographically proximate or dispersed. For example, someor all computers in the computer system 200 may be located in adifferent locations than other computers in the computer system. Forexample, Term 202 could be remote from TermB 204 and the other computers206, 208, 210, 212, 214, 216 and 218.

As depicted in the figure, however, computers TermA 202, TermB 204, CADC212, and AdminC 218 are located in a first building 220, and computersTermC 206, CAD A 208, CAD B 210, AdminA 214, and AdminB 216 are locatedin a second building 222. The computers 202, 204, 206, 208, 210, 212,214, 216, and 218 are connected to each other over an enterprise-classnetwork 224. The computer system 200 also provides access for a remotedevice 201 to connect to the network 224 to access one of the computers202, 204, 206, 208, 210, 212, 214, 216, and 218 and the networkedresources. The remote device 201 may be part of or outside of thecomputer system 200, and connects to the computer system 200 via acommunications link 203.

The computer network 200 includes an access administration system 226.In general, the access administration system 226 is a logical groupingof several related systems that are used to determine and govern users'abilities to access and use networked resources. Each system may belocated and/or executed on a computer in the first or second buildings220 and 222, on a computer located in a third building (not shown), onany of the computers previously described 202, 204, 206, 208, 210, 212,214, 216, and 218, or distributed throughout any or all of the above thecomputers.

The access administration system 226 includes an enrollmentadministration system 228 for specifying enrollment rules. In oneembodiment the enrollment administration system 228 is a software moduleor program made available to system administrators, for specifying suchrules, although other implementations are possible. Enrollment rulesspecify which users or groups of users are permitted to enrollindividual or groups of networked resources, where enrollment is the actof obtaining authorization to later access a network resource from aremote device 102. A system administrator specifies an enrollment ruleby defining groups of one or more users, defining groups of networkedresources, and then specifying which group or groups of users arepermitted to enroll which group or groups of networked resources.

To facilitate defining groups and specifying rules, in one embodimentthe enrollment administration system 228 provides a graphical userinterface that allows the system administrator to drag-and-drop usersand resources into groups and to drag-and-drop groups into enrollmentrules. In another embodiment, the graphical user interface provides apoint-and-click interface that allows a system administrator to buildgroups and rules from lists of users, resources, and groups. In stillother embodiments, a system administrator builds a group by typing in alist of user or resource identifiers (e.g., names, user names, emailaddresses, employee numbers, IP addresses, resource names, etc.).Whichever interface is used, the interface also allows for users orresources to be removed from groups or shifted to other groups and forrules to be altered.

In a further embodiment, the administrator may utilize previouslydefined groupings. Large organizations often have user and resourcegroupings defined for other computing purposes. Such groups are definedfor example using various domains, Active Directory, or lightweightdirectory access protocol (LDAP) directories. Resource groups may alsobe defined by providing ranges of IP addresses.

In one embodiment, enrollment rules are distinct from other accessrules. For example, a system administrator may specify enrollment rulesthat permit a group of users to enroll a group of networked resourcesfor remote access that the users would not otherwise be authorized touse directly. Likewise, a group of users that may be authorized todirectly access a group of networked resources may not be authorized toenroll those networked resources for remote access if no such enrollmentrule has been specified. In one embodiment, the enrollmentadministration system stores the enrollment rules in an enrollment rulesdatabase. In another embodiment the enrollment administration system 228also includes an enrollment database that identifies each networkedresource that each user has enrolled.

The access administrative system 226 includes an enrollment system 230configured to communicate with the enrollment administration system 228to permit enrolling a first networked resource if permitted by specifiedenrollment rules. In one embodiment, the enrollment system 230 is anetwork application, in particular, a JAVA® application stored on acentral server and downloaded to a networked resource in response to auser's request to enroll a networked resource. The enrollment requestmay be initiated, for example, by clicking on an icon on the desktop ofthe networked resource, clicking on a hyperlink on a web page, orrequesting to enroll the computer from a menu.

In alternative embodiments the enrollment system 230 operates on anetworked server and the user communicates with the enrollment system230 through a common gateway interface (CGI) via an Internet browserusing HTTP, HTML, XML, or another known network protocol. In yet afurther embodiment, the enrollment system 230 is installed on anetworked resource by transferring the software code embodying theenrollment system 230 onto the networked resource from an electronicstorage medium (e.g, a floppy disk, zip disk, CD-ROM, DVD-ROM, etc.).

The enrollment system 230 provides an interface for a user requestingenrollment to identify himself and the resource that the user isrequesting to enroll. The enrollment system 230 communicates with theenrollment administration system 228 to determine whether a user is infact permitted to enroll that resource. In one embodiment, thecommunication includes sending a message to the enrollmentadministration system 228 that contains the identification of the userrequesting enrollment of the networked resource and the identificationof the networked resource the user is requesting to enroll. Thecommunication, in one embodiment, includes transmitting a databasequery, for example using Structured Query Language (SQL), to theenrollment administration system 228. In another embodiment, thecommunication includes a remote procedure call to be executed on theenrollment administration system 228, the result of which is a Booleanvalue indicating whether the user is permitted to enroll the resource.In a further embodiment, the communication includes transmitting abusiness logic command to be interpreted by the enrollmentadministration system 228.

In yet another embodiment, the enrollment administration system 228transmits an up-to-date enrollment rules database to the enrollmentsystem 230. In this embodiment, after receiving the up-to-dateenrollment rule database, the enrollment system 230 queries theenrollment rule database (e.g., using SQL) to determine if the user ispermitted to enroll the database. The communications may take place overa variety of wired connections (using, e.g., TCP/IP, ISDN, Frame Relay,or ATM protocols), and wireless connections, or some combination of anyor all of the above.

In one embodiment, the enrollment system 230 is also responsible forverifying the identity of the user. User identity verification may beconducted, for example, by collecting user name-password/PINcombinations, collecting a user's biometric data, collecting a sample ofthe user's voice, etc.

The access administrative system 226 also includes a remote accesssystem 232 for granting remote access to the first networked resource ifthe user successfully enrolled the first networked resource. In oneembodiment, the access administration system 226 controls general accessto the network (i.e., not to any specific resource), in addition tocontrolling remote access to individual or groups of networkedresources. In one embodiment the remote access system 232 is a softwaremodule operating on a central network server. If a user attempts toremotely access a networked resource, the user first contacts the remoteaccess system 232 on the central server. In another embodiment, eachenrollable network resource has a copy of the remote access system 232installed, or the networked resource may download a copy of theenrollment system 230 from a server upon receipt of a remote accessrequest.

In one embodiment, the remote access system 232 receives the request forremote access, verifies the identity of the user requesting access anddetermines whether that user has enrolled the networked resource thatthe user is requesting remote access to by consulting an enrollmentdatabase maintained by the enrollment administration system 228. If theuser has enrolled the networked resource, the remote access system 232grants permission to the user to access the networked resource and suchaccess is initiated.

In the embodiments described above, the systems 226, 228, 230, and 232are implemented as software modules or programs. One skilled in the artshould appreciate that some or all of the system functionality mayinstead be implemented in a manner other than just described, forexample in hardware, such as an Application Specific Integrated Circuit(ASIC) and the like.

The operation of the systems of the access administration system 226 maybe understood further with reference to FIGS. 3-7.

Referring to FIG. 3A and FIG. 3B, to ease the burden on systemadministrators, system administrators may use the access administrationsystem 226 or one of its constituent systems to aggregate users andresources into groups that share common characteristics, since as thenumber of network resources and users of a computer system 200increases, it becomes increasingly time consuming to individually assignaccess rights to each user. Referring to FIG. 3A, an illustrative set300 of network resources of the computer system 200 may be grouped intoWorkstations 302 which includes TermA 202, TermB 204, and TermC 206; CADTerminals 304 which includes CAD A 214, CAD B, 216, and CAD C 218; andAdministrative Assistant Terminals AdminA 208, AdminB 210 and AdminC212. Referring to FIG. 3B, an illustrative set 307 of computer users maybe grouped as follows: Tara 314, Tom 316, and Ted 318 may be grouped asmembers of the Information Technology (IT) Staff 308; Ellie 320, Erica322, and Edward 324 may grouped as Engineers 310, and Alex 326, Amy 328,and Andrew 330 may be grouped as Administrative Assistants 312.

In one embodiment, a system administrator may specify groupings of usersand/or resources using the access administration system 226. In oneembodiment, the access administration system 226 provides a graphicaluser interface with which a system administrator may drag and drop, orpoint-and-click to add users or resources to groups. In anotherembodiment, the enrollment administration system 228 also providesgroup-management functionality via a similar interface. The groupscreated for the purposes of specifying enrollment rules may be differentfrom the groups created for specifying other access rules.

After groups of users and resources are defined, rules may be specifiedto limit the ability of a group of users 308, 310, or 312 to bothdirectly and/or remotely access and use a group of network resources302, 304, and 306. For example, since members 314, 316, and 318 of theIT staff 308 are responsible for maintaining the computers 202, 204,206, 208, 210, 212, 214, 216, and 218, a system administrator wouldlikely want to give the of IT Staff 308 access to all of the computers202, 204, 206, 208, 210, 212, 214, 216, and 218. In contrast, a systemadministrator may want to limit Administrative Assistants 312 to only beable to access the Administrative Assistant Terminals with lessercapabilities. Engineers 310 may be granted access to Workstations 302and CAD Terminals 304, but not to the Administrative Assistant Terminals306 used by Administrative Assistants 312.

In one embodiment, a system administrator may restrict the ability of auser to remotely access a networked resource without specifyingindividual user/resource limitations. As mentioned above, the computersystem 200 operates under a presumption that a computer user should onlybe able to remotely access a computer to which the user is capable ofachieving direct physical access. If a user does not have physicalaccess to a networked resource, that user should not be able tocircumvent physical security measures by accessing the networkedresource remotely. Here, physical access means access to an input device(such as a keyboard, mouse, trackball, microphone, touchscreen,joystick, etc.) connected to a console that is physically attached tothe networked resource. Connection may include wireless communication inthe case where input devices communicate with a resource using a shortrange wireless signal (e.g., a wireless keyboard or mouse). In a simpleexample, Engineers 310, in general, have access to CAD Terminals 304 butonly in the buildings in which they work. Engineer Ellie 320, working inthe second building 222, does not have physical access to CAD C 212,because it is located in the first building 220. Likewise, if Elliekeeps her Workstation 302, TermA 402, in a locked office for privacy orsecurity reasons, other users will not have physical access to thatworkstation 302.

According to an embodiment of the invention, to enforce this extensionof physical access limitations into the remote access environment, thecomputer system 200 includes the enrollment functionality describedabove. Namely, a user cannot gain remote access to a networked resourceof the computer system 200 if the user has not first enrolled thenetworked resource. Preferably, a user may only enroll a networkedresource if the user requests enrollment using an input device (e.g.,keyboard, mouse, microphone, display, etc.) connected to a console thatis physically attached to the networked resource. As such, if a usercannot physically access such an input device, the user will not be ableto enroll the network resource and will not be able to access thenetworked resource remotely.

In one such embodiment, not all users who have direct physical access toa computer may enroll the computer. Enrollment rules specify which usersor groups of users are authorized to enroll which networked resources orgroups of networked resources. Preferably, the enrollment rules arespecified at a user/resource group level rather than at an individualuser/resource level, for purposes of efficiency. The groups may be thesame groups as used for specifying other access rules or the groups maybe different.

Referring to FIG. 4A, a table 400 depicts illustrative enrollment rules,where rows represent groups of users 308, 310, and 312, and columnsrepresent groups of networked resources 302, 304, and 306. A systemadministrator specifies enrollment rules, for example using theenrollment administration system 228. To do so, the system administratordefines a plurality of groups of users 308, 310, and 312 and alsodefines groups of networked resources 302, 304, and 306 as describedabove with respect to FIGS. 3A and 3B. The system administrator thenspecifies which groups of users may enroll which groups of networkedresources. For example, in the table 400, a system administrator hasspecified that IT staff members 308 can enroll Workstations 302, CADTerminals 304, and Administrative Assistant Terminals 306 as indicatedby the “X”s at the intersections of the IT Staff 308 row and the columnsfor each of the groups of networked resources. Similarly, Engineers 310can enroll Workstations 302 and CAD Terminals 304, and AdministrativeAssistants 312 can only enroll Administrative Assistant Terminals 306.

It should be understood that these rules may be specified in a tableform as just described, but also or instead through use of commands,data lists, data files, XML tags or any other suitable mechanism forrule specification.

Using the enrollment administration system 228, system administratorscan readily alter enrollment rules once specified. For example, toreflect changes in staffing (e.g., the firing, hiring or shifting of anemployee) the system administrator may add or remove users to and fromuser groups. The same may be done for networked resource groups. Policydecisions affecting entire groups may be implemented by changing thegroups of networked resources that a group of users is permitted toenroll. For example, if the system administrator that specified theenrollment rules in the table 400 decided that Administrative Assistants312 should also be able to enroll all workstations, the rule forAdministrative Assistants 312 may be altered accordingly. In the casethat a system administrator removes the ability of one or more users, orgroups of users to enroll one or more network resources, the usersaffected will no longer be able to enroll those networked resources. Insome embodiments, if the networked resources were already enrolled bythe affected users, the change in the enrollment rule may cause thenetworked resources to be unenrolled.

Referring to FIG. 5, a flow chart of a method 500 of enrolling anetworked resource (e.g., computers 202, 204, 206, 208, 210, 212, 214,216, and 218) begins with specification of enrollment rules (step 502),for example by a system administrator as described above. When a userrequests to enroll a networked resource (step 504), the enrollmentsystem 230 verifies the identity of the user (step 506). Identityverification (step 506) may be achieved through any identityauthentication means, including for example, user-password or PINauthentication, biometric identification, voice identification, etc.

The enrollment system 230 and the enrollment administration system 228determine whether the user is permitted by the enrollment rules toenroll the networked resource that the user is requesting to enroll(step 508). In the illustrative embodiment, the enrollment system 230sends an enrollment request to the enrollment administration system 228.The enrollment request includes the identification of the networkedresource that the user is requesting to enroll and the identification ofthe user. The enrollment administration system 228 then compares thenetworked resource/user pairing with the enrollment rules to determineif the user is a member of a group that has permission to enroll any ofthe networked resources of the group to which the networked resource inquestion belongs.

Single-use copies of the enrollment rules may be downloaded to thenetworked resource from the enrollment administration system 228 eachtime a user attempts to enroll a networked resource, and in otherimplementations a networked resource may maintain a persistent set ofenrollment rules that is updated by the enrollment administration system228 when a system administrator alters the enrollment rules. In eitherof these cases, the permission verification (step 508) is carried out onthe networked resource.

If the user is permitted to enroll the networked resource based on theenrollment rules, the location of the user is determined (step 510). Inone embodiment, a locator system determines the location of the user byretrieving the IP address of the networked resource from which theenrollment request was sent, typically included in the header of thepackets that made up the communication, and executing a reverse DomainName Server (DNS) look-up routine to determine the source of therequest. The enrollment administration system 228 then determineswhether the user requested enrollment of the networked resource from aconsole that is physically attached to networked resource the user isrequesting to enroll (step 512) by comparing the determined enrollmentrequest source with the networked resource that is identified in theenrollment request. In another embodiment, the locator system transmitsto, and causes the execution of a Java® applet or ActiveX® control onthe requested resource to determine whether the user is actually loggedin to a console that is physically attached to the resource. In afurther embodiment, the source of the request may be verified bytransmitting to, and causing the execution of a Java® applet or ActiveX®control on the source of the request that forces the source to identifyitself. The enrollment administration system 228 then compares theforced identification with the network resource the user requested toenroll. In one embodiment, the enrollment administration system carriesout a combination of two or more of the above listed verificationmethods to ensure a robust request source identification.

If it is determined that the user sent the enrollment request from aconsole that is physically attached to the networked resource that theuser is requesting to enroll (step 512), the enrollment administrationsystem 228 enrolls the networked resource for the user (step 514) byupdating an enrollment database. (See FIG. 6 below). If the user is notpermitted to enroll the networked resource based on the enrollmentrules, or it is determined that the user is attempting to enroll thecomputer from a remote location, enrollment is denied (step 516).

In an alternative embodiment, the enrollment administration system 228determines the location of the user and verifies that the user isrequesting enrollment of the networked resource from which theenrollment request originated before determining whether the user ispermitted to enroll the networked resource according to the enrollmentrules. In a further embodiment, the enrollment administration system 228enables a system administrator to specify enrollment rules that allow agroup of users to remotely enroll networked resources or to specifygroups of resources that may be enrolled remotely. For example, in oneembodiment, enrollment rules allow a user to enroll a file server (or aportion of a file server) that is part of a secure network from aconsole that is a part of that secure network but that is not physicallyattached to the file server.

Referring to FIG. 6, the enrollment administration system 228 maintainsthe information about enrolled resources and users. This storage may beimplemented in many ways, including in the form of data files in adatabase. As shown in the illustrative depiction of the contents of anenrollment database 600, in the figure, the database 600 storesenrollment data for each individual user and each networked resource.When a user successfully enrolls a networked resource (step 514), theenrollment is stored in the enrollment database 600. For example,according to the enrollment database 600, engineer Ellie 320 hasenrolled TermA, CAD A and CAD B. The table is consulted when a userattempts to remotely access a networked resource.

Referring to FIG. 7, a method 700 of granting remote access to anetworked resource includes querying the enrollment database forexample, the enrollment database 600. When a user attempts to remotelyaccess the first networked resource 100, the request for access isreceived by the remote access system 232 (step 702). The remote accesssystem 232 verifies the identification of the user (step 703), alsoreferred to as authentication. As described above in relation toverifying an identity of a user in the enrollment context, the remoteaccess system 232 may authenticate a user using any suitable identityauthentication means, including user name-password/PIN pairs,certificates, biometric data, one time keys, voice samples, etc. Theremote access system 232 then determines whether the user has previouslyenrolled the first networked resource 100 (step 706). If the user haspreviously enrolled the first networked resource, the remote accesssystem 232 grants access to the first networked resource 100 (step 708),otherwise the remote access system 232 denies remote access to the firstnetworked resource 100.

In alternative embodiments, a system administrator could set additionalremote access rules that limit which remote devices users may use toremotely access networked resources. For example, a system administratormay specify a rule that only allows users or groups of users to remotelyaccess networked resources or a group of networked resources from anetworked resource directly connected to the computing system 200. Undersuch a rule, Tara 314, for example, who according to the enrollmentdatabase 600 has enrolled AdminC 218, could remotely access AdminC 218from AdminA 214, but Ted 318, who also has enrolled AdminC 218 could notremotely access AdminC from remote device 102.

One skilled in the art will realize the invention may be embodied inother specific forms without departing from the spirit or essentialcharacteristics thereof. The foregoing embodiments are therefore to beconsidered in all respects illustrative rather than limiting of theinvention. The scope of the invention is not limited to just theforegoing description.

1. A method of administering a computer network, the method comprising:providing an enrollment administration system for specifying enrollmentrules; providing an enrollment system configured to communicate with theenrollment administration system to permit enrolling a first networkedresource if permitted by specified enrollment rules; and providing aremote access system for granting a user remote access to the firstnetworked resource if the user successfully enrolled the first networkedresource.
 2. The method of claim 1 wherein the networked resource is acomputer.
 3. The method of claim 1 wherein the remote access systemdenies remote access to the first networked resource to a user that hasnot enrolled the first networked resource.
 4. The method of claim 1wherein the remote access system is provided for installation on thefirst networked resource.
 5. The method of claim 1 wherein the remoteaccess system is provided for installation on a shared network resource,and the remote access system grants remote access to the first networkedresource and a second networked resource subject to the specifiedenrollment rules and the user's enrollment of the first networkedresource and the second networked resource.
 6. The method of claim 1wherein the enrollment system disallows enrolling the first networkedresource from a remote console.
 7. The method of claim 1 wherein theenrollment system requires enrolling the first networked resource fromconsole physically-attached to the first networked resource.
 8. Themethod of claim 1 wherein the remote access comprises remote access tothe desktop of the first networked resource.
 9. The method of claim 1wherein the enrollment system is a network application.
 10. The methodof claim 9 further comprising providing a locator system for determiningthe location of a user attempting to enroll the first networkedresource.
 11. The method of claim 10 wherein enrolling the firstnetworked resource is further subject to the determined location.
 12. Acomputer system comprising: an enrollment administration system forspecifying enrollment rules; a first networked resource configured tocommunicate with the enrollment administration system; a remote deviceconfigured to communicate with the first networked resource via acommunications channel; an enrollment system for enrolling the firstnetworked resource if permitted by the specified enrollment rules; and aremote access system for granting a user of the remote device remoteaccess to the first networked resource if the first networked resourcewas successfully enrolled.
 13. The computer system of claim 12 whereinthe first networked resource is a computer.
 14. The computer system ofclaim 12 wherein the remote access system denies remote access to thefirst networked resource to a user of the remote device that has notenrolled the first networked resource.
 15. The computer system of claim12 wherein the remote access system is installed on the first networkedresource.
 16. The computer system of claim 12 wherein the remote accesssystem is installed on a shared network resource, and the remote accesssystem grants a user of the remote device access to the first networkedresource and a second networked resource subject to the enrollment rulesand the user's enrollment of the first and second networked resources.17. The computer system of claim 12 wherein the enrollment systemdisallows enrolling the first networked resource from a remote console.18. The computer system of claim 12 wherein the enrollment systemrequires enrolling the first networked resource from a consolephysically-attached to the first networked resource.
 19. The computersystem of claim 12 wherein the remote access to the first networkedresource comprises remote access to the desktop of the first networkedresource.
 20. The computer system of claim 12 wherein the enrollmentsystem is a network application.
 21. The computer system of claim 20further comprising a locator system for determining the location of auser attempting to enroll the first networked resource.
 22. The computersystem of claim 21 wherein enrolling the first networked resource isfurther subject to the determined location of user.
 23. The computersystem of claim 12 wherein the enrollment administration systemcomprises an enrollment database that stores a list of networkedresources a user has enrolled.
 24. A method of network administrationcomprising: specifying an enrollment rule; enrolling a first networkedresource if permitted by the specified enrollment rule; granting a userremote access to the first networked resource from a remote device ifthe user had previously successfully enrolled the first networkedresource; and denying an user access to the first networked resourcefrom the remote device if the user had not previously successfullyenrolled the first networked resource.
 25. The method of claim 24wherein the first networked resource is a computer.
 26. The method ofclaim 24 wherein specifying an enrollment rule further comprises:defining a plurality of groups of users; defining a plurality of groupsof networked resources; and specifying a group of networked resourcesthat a group of users is permitted to enroll.
 27. The method of claim 24wherein enrolling the first networked resource is disallowed from aremote console.
 28. The method of claim 24 wherein enrolling the firstnetworked resource requires the user to enroll from a console physicallyattached to the first networked resource.
 29. The method of claim 24wherein granting access to the first networked resource comprisesgranting access to the desktop of the first networked resource.